Category

EN

CGU issues guidance for evaluation of compliance programs of companies under investigation

By | Artigos, EN

*By Muriel Sotero – Associate

On September 14, 2018, CGU issued the “Manual for Evaluation of Compliance Programs in Sanctioning Administrative Procedures” (“Manual”). The Manual’s goal is to provide guidance to the public officials responsible for evaluating the compliance program of companies when applying sanctions, after an investigation is concluded and an Administrative Accountability Procedure (“PAR” in Portuguese) is initiated for violations of the Brazilian Anti-Bribery Law. The Manual is also very useful for companies to verify if their compliance programs are in accordance with the expectations of the CGU.

A guidance with more clear parameters on the subject was necessary, due to the lack of details for evaluation of compliance programs set forth in Decree 8.420/2015 (“Decree”). The Manual sets forth questions to assist evaluators assessing compliance programs according to 15 out of the 16 parameters from the Decree – one of the parameters (transparency on political donations) is no longer applicable, since companies are now prohibited to make political donations.

Not only the Manual establishes questions that evaluators should use to evaluate compliance programs, it also brings examples of how companies can provide evidence that they fulfill such requirements.

Before we discuss the questions that should be responded regarding compliance programs, below are a few relevant aspects of the Manual:

When will the compliance program be presented to authorities?
Once authorities have sufficient evidence that an improper conduct took place, a Commission to conduct the PAR (“CPAR”) will be designated, and such Commission should formally request companies to present information about their compliance program along with their written defense. The Manual also indicates that the CPAR should allow companies to update the information presented regarding their compliance program, depending on the duration of the PAR.

The presentation of the Compliance Program will be made through the Profile Report and the Compliance Report forms, as established by the CGU Ordinance 909/2015.

• Who will evaluate the Compliance Program?
The Manual establishes that preferably, the members of CPAR should evaluate the compliance program. However, some public officials who are more knowledgeable and have more experience in evaluating compliance programs may not be part of the CPAR, in which case the CPAR may request assistance from those public officials who are specialized in compliance. Nevertheless, the decision on how the compliance program would impact the sanctions should be made exclusively by the members of the CPAR.

• When will the Compliance Program be evaluated?
The Manual sets forth that the CPAR will receive the information on the compliance program of the company under investigation along with their written defense, but the evaluation of the compliance program itself should be done at a later time, after a final decision on the liability of the legal entity is determined, since the CPAR may find that the legal entity did not violate the Brazilian Anti-Bribery Law or that the procedure did not present conclusive evidence that a violation was committed, in which case the evaluation of the compliance program would be irrelevant as it would not impact in sanctions to be applied to the legal entity.

The Manual recommends the evaluation of the Compliance Program only when a final report is to be issued, and in the following cases, cumulatively:

1. The CPAR decides to impose a sanction to the company.
2. The evaluation of the parameters to be considered in the calculation of the fine indicate a fine percentage above 0.
3. The benefits earned by the company due to the violation committed do not exceed 20% of the company’s gross profit.

• How will the Compliance Program be evaluated?
The evaluation of the compliance program will be made through a worksheet, which will be completed by the evaluators based on the documents and information presented by the company. The evaluation is made automatically, and the evaluator will reply each question with “No” (equivalent to 0), “Partially” (equivalent to 1) or “Yes” (equivalent to 2). Each question will carry a different weight.

The Manual included an Evaluation Table, with questions based on the parameters set forth in the Decree and considerations on how to evaluate each parameter, in order to reduce the fines that the company may be subject to.

According to the CGU, the methodology proposed could be used in most cases, but in situations in which a company and/or its compliance program are peculiar and very specific, evaluators may opt out of using the table, upon motivated decision, while still using the considerations on each of the parameters included in the Manual.

The evaluation of the Compliance program is divided in 3 separate sections:

1. Integrity Corporate Culture – the questions in this section aim to assess if the company has conditions to foster and maintain an integrity culture.
2. Integrity mechanisms, policies and procedures – the questions in this section aim to assess if the company has appropriate mechanisms that could prevent, detect and remediate violations to the Anti-Brazilian Law.
3. Conduct of the company in relation to the wrongful act – the questions in this section aim to assess (i) how the compliance program prevents, detects or remediates the wrongful act under investigation and (ii) if the company implemented measures to prevent the occurrence of similar acts. According to the Manual, the first item is exclusive to companies that already had a compliance program in place during the alleged violation, and the second item would also apply to the companies that implemented a compliance program after the alleged misconduct. In this section, companies can earn negative points (up to -0,6%).

There are preliminary questions regarding the profile of the company and the wrongful acts being investigated by the PAR, and depending on those answers, some of the questions of each section would not be considered for the evaluation or might have different scores.

Below is an unofficial translation of the questions which the evaluators will answer in order to evaluate compliance programs:

I. Integrity Corporate Culture

1. Organizational structure of the legal entity and its relationship with the Compliance Program.

1.1. Does the legal entity have a formal organizational structure: set forth in bylaws, articles incorporation, internal regulation or other norms?
1.2. Is the organizational structure available for the internal audience of the company?
1.3. Does the legal entity make available in their website information about the organizational structure?
1.4. Does the legal entity have in its structure an area (or areas) to handle matters related to ethics and integrity, with the participation of members of the senior management, such as ethic committees and boards?

1.4.1. Is the manner in which the participation of senior management occurs formalized?
1.4.2. Did the company present documents that evidence the occurrence of more than one meeting in the last twelve months, from the date of the presentation of the profile and compliance reports in the PAR?

2. Commitment and support of senior management to the compliance program

2.1. Does the legal entity have formal criteria for the selection of members from senior management that include integrity elements, such as lack of involvement with corruption acts?
2.2. Is the approval of the main compliance-related policies done by the upper levels areas of decision making in the legal entity?
2.3. Does the legal entity senior management participate in the supervision of activities related to the compliance program?
2.4. Did the members of the legal entity’s senior management participate in compliance trainings in the last twelve months following the date of the presentation of the profile and compliance reports in the PAR?
2.5. Are members of the senior management who were involved in the wrongful acts still in their position or in other positions of senior management?
2.6. Were there public statements of support to the compliance program made by the legal entity?

2.6.1. The statements of support:

a. Were personalized, that is, were the statements signed directly by the members of senior management of the legal entity under evaluation?
b. Were made by members of senior management involved in the wrongful acts under investigation in the PAR?
c. Were made periodically (not isolated) in the last twelve months following the date of the presentation of the profile and compliance reports in the PAR?
d. Had content that expressed a message encouraging the employees to adopt an ethical conduct, according to the compliance program?
e. Were directed to the internal audience of the legal entity?
f. Were directed to the external audience of the legal entity?

2.7. Was the legal entity not able to present evidence on the commitment and support of the members of senior management to the compliance program? To answer YES to the question, the evaluator should have answered NO to all other questions from item 2.

3. Internal body responsible for the compliance program

3.1. Does the legal entity have an internal body responsible for the compliance program?

3.1.1. Regarding the internal body responsible for the compliance program:

a. Is it formally established?
b. Are its responsibilities expressly set forth in a formal document, approved by the legal entity’s senior management?
c. Is it a specific department within the legal entity, with responsibilities related exclusively to the compliance program?
d. Does it have autonomy to make decisions, and is not subordinated to other departments such as Legal, Human Resources, Internal Audit or Finance?

3.2. Are there employees exclusively dedicated to activities related to the compliance program?
3.3. Does the area responsible for compliance have as a prerogative the possibility of reporting to the highest hierarchical level at the legal entity?

3.3.1. Is this prerogative carried out, and is it possible to verify that in the last twelve months, following the date of the presentation of the profile and compliance reports in the PAR, the representative of the compliance area had meetings with the highest hierarchical level at the legal entity more than once?

3.4. Does the responsible for the compliance area have express guarantees that allow them to perform their duties with independency and authority, such as protection against arbitrary punishments, mandate, autonomy to request documents and interview employees from any department from the legal entity?
3.5. Was the legal entity not able to present evidence about the existence and performance of an internal body responsible for the compliance program? To answer YES to the question, the evaluator should have answered NO to all other questions from item 3.

4. Code of Ethics and Conduct – or other formal document that establishes the conduct and ethical standards expected from all employees and managers of the legal entity

4.1. Has the legal entity presented a Code of Ethics and Conduct, or an equivalent document, available in Portuguese?

4.1.1. Was the legal entity not able to present a Code of Ethics and Conduct, or equivalent document, available in Portuguese? To answer YES to the question, the evaluator should have answered NO to all other questions from item 4.

4.2. Was the presented document formally approved by the legal entity’s senior management?
4.3. Regarding the content of the presented document:

a. Does it expressly include ethics and integrity as one of the principles or values of the legal entity?
b. Is it aligned with the specific features of the legal entity, such as areas in which the business operates and the level of interaction with the public administration?
c. Is it aligned with the Brazilian anti-bribery legislation, expressly prohibiting corruption and other acts against the public administration?
d. Does it expressly indicate the ones responsible to answer questions regarding its enforcement?
e. Does it expressly indicate the channels available for making reports about ethical/legal violations?
f. Does it expressly set forth the guarantees to protect good-faith whistleblowers?
g. Does it mention the possibility of applying sanctions against those who committed ethical/legal violations, regardless of the job or function held by the individual who committed the violation?

4.4. Regarding the document’s accessibility:

a. Is it written in a manner that is easy to understand?
b. Can it be easily accessed by the legal entity’s employees, including those who do not have access to computers?
c. Is it available in the legal entity’s website?

4.5. Were there any actions related to the dissemination of this document in the last twelve months, from the date of the presentation of the profile and compliance reports in the PAR?
4.6. Were there any trainings about its content to employees and managers of the legal entity in the last twelve months, following the date of the presentation of the profile and compliance reports in the PAR?

4.6.1. Were these trainings conducted with at least 50% of the legal entity’s employees?

5. Enforcement of the document indicated in the previous item (Code of Ethics or Conduct) or an equivalent document (a code specific for third parties, for example) to third parties, such as suppliers, vendors, agents and associates.

5.1. Regarding the Code of Ethic or Conduct of the legal entity or an equivalent document applicable to third parties:

a. Does it expressly prohibit acts of corruption or other acts against the public administration by third parties?
b. Does it indicated the channels available for third parties to make reports?
c. Does it mention the possibility of sanctions against third parties that commit ethical or legal violations?

5.2. Does the legal entity provide versions of this document or does it inform how it can be accessed by these third parties?
5.3. Does the legal entity request that the third parties certify that they are aware of the document and its content?
5.4. Were there trainings in the last two years, regarding its content, to the main third parties with which the legal entity has business relations with?

5.4.1. Was the legal entity not able to present evidence on trainings about its ethics and conduct standards to the agents that act on its behalf, on the last twelve months, from the date of the presentation of the profile and compliance reports in the PAR?

6. Structure for trainings related to the Compliance Program

6.1. Has the legal entity presented a plan for conducting trainings related to the compliance program?
6.2. Does the body responsible for the compliance program participate in the planning, creation, conduction and or/contracting trainings related to integrity matters?
6.3. Are there controls in place to verify the participation of employees’ in the trainings?
6.4. Are there mechanisms to verify the retention of the content of the trainings?

II. Integrity mechanisms, policies and procedures

7. Risk assessment for the design and/or enhancement of the Compliance Program

7.1. Did the legal entity conduct a risk assessment which encompassed risks related to corruption and fraud?
7.2. Was the risk analysis conducted (or redone) in the last twenty-four months, following the date of the presentation of the profile and compliance reports in the PAR?
7.3. Is there a plan for the risk assessment to be conducted periodically?

8. Prevention of frauds and illicit acts in the interactions of the legal entity with the public administration

8.1. Has the legal entity presented policies and procedures which:

a. Expressly prohibit granting undue advantages, financial or not, to public officials?
b. Address the offer of presents, small gifts and hospitalities (meals, entertainment, travel and lodging) to public officials?
c. Address the prevention of conflict of interest in the relationships with the public administration, including hiring public officials and their relatives?
d. Establish guidelines and controls on topics such as meetings and other type of interactions between officers and employees of the legal entity with public officials?
e. Establish specific guidelines so that its officers, employees or third parties acting on behalf of the legal entity cooperate with possible investigations and audits conducted by public bodies, entities or officials?

8.2. Are the existing policies and procedures easily accessible by the legal entity’s employees?
8.3. Were the content of these policies and procedures addressed on the trainings conducted by the legal entity in the last twelve months, from the date of the presentation of the profile and compliance reports in the PAR?
8.4. Did the legal entity present documents that evidence the enforcement in the last twelve months, from the date of the presentation of the profile and compliance reports in the PAR, of the policies and procedures that address the following subjects:

a. Offer of small gifts, presents and hospitality?
b. Conflict of interest?
c. Interaction with public officials, such as meetings?

8.5. Did the legal entity present documents that indicate the monitoring of the enforcement of the policies and procedures presented, such as periodical reports, statistics and markers?
8.6. The legal entity did not present policies and procedures adapted to the Brazilian legislation.
8.7. The legal entity did not present evidence that makes available Portuguese versions of its policies and procedures for stakeholders.
8.8. The legal entity did not present evidence about the existence of policies and procedures related to interaction with the Public Administration. To answer the question with YES, the evaluator must have answered NO (zero) to all the other questions from item 8.

9. Specific policies and procedures to prevent fraud and illicit acts within public tender proceedings and contracts with the public administration.

9.1. Is there guidance about the expected conduct, regarding public tender proceedings and contracts with the public administration, in the policies and procedures presented, applicable to:

a. the legal entity’s employees?
b. third parties that act on behalf of the legal entity in public tender proceedings or contracts with the public administration?

9.2. Regarding the content of the policies and procedures presented:

a. Do they address the relationship between the legal entity and its competitors, in order to avoid anti-competitive practices that enable fraud in public tender proceedings and contracts with the public administration?
b. Do they address the monitoring of contracts with the public administration?
c. Do they expressly indicate who is responsible for authorizing the adoption of measures related to the participation in public tenders and contracting and extension of contracts with the public administration?

9.3. Were there specific trainings related to existing policies and procedures for the audience responsible for its enforcement, in the last twelve months, following the date of the presentation of the profile and compliance reports in the PAR?
9.4. Did the legal entity present documents that evidence the enforcement of the policies and procedures that address public tenders and contracts with the Public Administration, in the last twelve months, from the date of the presentation of the profile and compliance reports in the PAR?
9.5. Did the legal entity present documents that evidence the monitoring of the enforcement of policies and procedures related to the participation in public tenders and contracts with the public administration, such as periodical reports statistics and markers?
9.6. Does the legal entity publish to external audience information about participation in public tenders and contracts with the Public Administration?
9.7. The legal entity did not present policies and procedures adapted to the Brazilian legislation.
9.8. The legal entity did not present evidence that it makes available Portuguese versions of its policies and procedures for stakeholders.
9.9. The legal entity did not present evidence about the existence of specific policies and procedures to prevent frauds and illicit acts in public tenders and contracts with the public administration. To answer the question with YES, the evaluator must have answered NO (zero) to all the other questions from item 9.

10. Mechanisms and controls to ensure precise and clear accounting records, as well as the reliability of financial statements and reports.

10.1. Does the legal entity have workflows in place for the preparation of accounting entries?
10.2. Does the legal entity have rules that establish the separation of functions and definitions of authorization levels of approval of revenue and expenses?
10.3. Does the legal entity have mechanisms to detect revenue or expenses that are out of standard and/or red flags in accounting entries?
10.4. Does the legal entity have rules that require the verification of the fulfillment of the scope of a contract before a payment is made?
10.5. Does the legal entity have a formally structured internal audit department?
10.6. Is the legal entity subject to an independent accounting audit?

11. Due Diligence for engagement and supervision of third parties

11.1. If the due diligences conducted by the legal entity prior to engaging third parties include the following:

a. Verification of any involvement of third parties in cases related to corruption and fraud against the public administration?
b. Verification of the existence of implemented compliance programs in the third parties evaluated, to mitigate risks of corruption and fraud against the public administration?
c. Conduction of thorough due diligences in third parties in the context of partnerships, such as consortiums, associations, joint ventures or special purpose entities?

11.2. Regarding the rules on due diligences prior to engaging third parties:

a. If the rules favor engagement of third parties that have low integrity risks?
b. If the rules establish the need of adopting measures to mitigate risks in the engagement of third parties, in situations in which the results of the diligences present high integrity risks?
c. If the rules prevent the engagement or partnership, in situations in which it is verified that a third party has a high integrity risk?

11.3. Is there separation of functions between those who conduct the due diligences and the ones responsible to carry out the engagement of the third party?
11.4. If the department responsible for the Compliance Program participates in the due diligence?
11.5. Did the legal entity present documents demonstrating that the due diligences of third parties are enforced by the legal entity, such as forms filled out by the third party, e-mails requesting information to third parties and evaluations of the risk profile of the third party?
11.6. Regarding the agreements executed with third parties:

a. Is there a clause requiring the compliance with ethical norms and the prohibition of corrupt and fraud practices (anti-corruption clause)?
b. Is there a provision foreseeing penalties and/or termination of the agreement if there is non-compliance with ethical norms and fraud and corruption practices?

11.7. Did the legal entity present copies of agreements demonstrating the existence of anti-corruption clause and provision foreseeing penalties for non-complying with the clause?
11.8. The legal entity did not present evidences of diligences for the engagement and supervision of third parties. To answer the question with YES, the evaluator must have answered NO (zero) to all the other questions from item 11.

12. Due Diligences prior to merges and acquisitions, in order to verify the existence of irregularities or illicit acts, or to verify the vulnerabilities of the legal entities involved in these transactions.

12.1. If the legal entity conducts specific due diligence to verify If the legal entities involved in M&A transactions have prior involvement with the wrongful acts set forth in Law 12,846/2013 (Anti-Bribery Law) and other illicit acts related to corruption and fraud in public tenders and contracts with the public administration?
12.2. If the legal entity conducts due diligences to verify if the partners of the legal entities involved in M&A transactions have prior involvement with illicit acts related to corruption and fraud in public tenders and contracts with the public administration?
12.3. If due diligence conducted indicates the existence of prior involvement with practices related to corruption and fraud in public tenders and contracts with the public administration, are there procedures already in place to be followed by the legal entity in relation to the operation?
12.4. If the department responsible for the compliance program participates in the decision-making process of whether or not the operation should occur?

13. Channels to report irregularities

13.1. Does the legal entity make available channels to report irregularities, in Portuguese?

a. Available for its employees?
b. Available for the external public?

13.2. Regarding the existing channels:

a. Is it clear that they can be used for individuals to make reports related to corruption and other irregularities set forth on Law 12,846/13?
b. Are there clear the protections guaranteed to individuals who make reports?
c. Is it possible for the individual who made the report to monitor the developments of how the report is being assessed?

13.3. Did the legal entity make any efforts to disseminate information about channels available to report irregularities in the last twelve months, following the date of the presentation of the profile and compliance reports in the PAR?
13.4. Did the legal entity present formal procedures which:

a. Regulate how the reports should be assessed?
b. Establish penalties to be applied?

13.5. Did the legal entity present statistics on the reports received and assessed and/or other information indicating that the reporting channel is monitored?

13.5.1. Based on the statistics presented, is it possible to verify a proportionality between the number of reports received and the number of reports addressed?

13.6. The legal entity did not present evidence that it has a channel for reporting of irregularities available; or, even if it has one available, it did not present evidence of the existence of a minimal structure so that reports are being assessed?

III. Response of the company in relation to the wrongful act

14. The compliance program in existence prior to the wrongful act

14.1. Was the legal entity, through its already existing control mechanisms, capable of preventing the wrongful act?
14.2. Has the legal entity notified the competent authorities about the facts before the initiation of proceedings of the PAR?
14.3. Has the legal entity fully repaired the damage caused by the wrongful act?
14.4. Regarding the individuals involved in the wrongful act:

a. Has the legal entity disciplined employees involved in the wrongful act?
b. If employees involved in the wrongful act, and still employed by the legal entity, removed from positions with administrative, management and legal representation powers?
c. If the employees involved with the wrongful act, that are still employed by the legal entity, being monitored?

14.5. Has the legal entity implemented specific procedures (or improved the already existing mechanisms) to prevent similar wrongful acts, such as the ones investigated in the PAR, from happening again?

14.5.1. Have the employees in charge of implementing the procedures been trained specifically for this purpose?
14.5.2. Has the legal entity presented documents that ascertain the implementation of these specific procedures in their routine?

14.6. Did the legal entity conduct or is currently conducting an internal investigation/audit to identify if any other wrongful acts have occurred, besides the facts investigated by PAR? Or has the legal entity hired an independent organization to conduct the investigation?
14.7. Has the legal entity failed to demonstrate any action from their compliance program regarding the wrongful act? To answer YES to the question, the evaluator must have answered NO (zero) to all the previous questions from item 14.

15. The compliance program implemented after the wrongful act

15.1. Regarding the individuals involved in the wrongful act:

a. Has the legal entity dismissed the employees involved in the wrongful act?
b. If the employees implicated, that are still at the legal entity, were removed from positions with administrative, management and legal representation powers?
c. If the employees involved in wrongful act, that are still at the legal entity, are being monitored?

15.2. Has the legal entity implemented specific procedures to prevent similar wrongful acts such as the ones investigated in PAR from happening again?

15.2.1. Have the employees in charge of implementing the procedures been trained specifically for this purpose?
15.2.2. Has the legal entity presented documents that ascertain the implementation of these specific procedures in their routine?

15.3. Did the legal entity conduct or is currently conducting an internal investigation/audit to identify if any other wrongful acts have occurred, besides the facts investigated by PAR? Or has the legal entity hired an independent organization to conduct the investigation?
15.4. Has the legal entity failed to demonstrate any action from their compliance program regarding the wrongful act? To answer YES to the question, the evaluator must have answered NO (zero) to all the previous questions from item 14.

We are available to assist your company with an assessment of its compliance program so that it can fulfill the requirements expected by the evaluators. Click here to access the Manual in Portuguese.

contato@maedaayres.com
+55 (11) 3578-6665

Bruno Maeda
bruno.maeda@maedaayres.com
+55 (11) 95029-9005

Erica Sarubbi
erica.sarubbi@maedaayres.com
+55 (11) 95784-1202

Carlos Ayres
carlos.ayres@maedaayres.com
+55 (11) 98711-0591

Fernanda Bidlovsky
fernanda.bidlovsky@maedaayres.com
+55 (11) 95304-7744